Uber Fixes Bug That Reveals Client Secrets

After becoming aware of a bug on its back-end systems, Uber repaired a vulnerability that provided access to secret developer tokens. A developer endpoint had been sending server tokens and client secrets, according to reports.

Uber said in an e-mail, according to reports, “At this time, we have no indication that the issue was exploited, but suggest reviewing your application’s practices out of an abundance of caution.” The company added, “We have mitigated the issue by restricting the information returned to the name and id of the authorized applications.”

AppSecure founder Anand Prakash told the outlet that it was “very easy” to exploit the vulnerability. He added the bug could let someone get a hold of invoices and trip receipts. An AppSecure blog post noted that the vulnerability “was plugged quickly by the engineering team at Uber.”

As it stands, server tokens and client secrets enable apps to talk with the servers of Uber. They are also “highly sensitive bits of information,” according to reports, and Uber tells developers to not provide the keys to others. According to Uber’s documentation, as cited by the blog post, “The secret for your application, this should be treated like your application’s password.”

The news comes after Uber put up a mixed bag in terms of numbers for the last quarter of 2018. Uber reported $50 billion in total bookings for ridesharing as well as food delivery for that time period. Revenue growth, however, was only 2 percent between the third and fourth quarters.

The ridesharing company also took in $11.3 billion, which marked an increase of 43 percent from the same time the year before. While Uber posted $2.2 billion in losses in 2017, it only reported losses of $1.8 billion. Revenue for the company during the quarter reached $3 billion, which marked a 24 percent increase from the prior year and 2 percent from the third quarter.